Systems of Systems: Cybersecurity Vulnerabilities and Opportunities
MIT Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity – (IC) 3...
-
Upload
mary-helena-copeland -
Category
Documents
-
view
220 -
download
0
Transcript of MIT Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity – (IC) 3...
MIT Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity – (IC)3
Cyber Safety: A Systems Thinking and Systems Theory Approach to Managing Cyber Security Risks
Dr. Qi Van Eikema Hommes, Lecturer & Research AffiliateHamid SalimStuart Madnick, ProfessorMichael Coden, CISSP, Associate Director MIT-(IC)3
Presented at the International Conference on Computer Security in a Nuclear World: Expert Discussion and Exchange, International Atomic Energy Agency, June 2, 2015, Vienna, Austria
Copyright 2015, MIT-(IC)3, All Rights Reserved. http://ic3.mit.edu
Presentation Outline• (IC)3
• Research Motivations• Approaches– System-Theoretic Accident Model and Processes
(STAMP)• Causal Analysis based on STAMP (CAST)• System Theoretic Process Analysis (STPA)
• Case Study– CAST Applied to the TJX Case– CAST Applied to Stuxnet
• Future Research Directions2
(IC)3 is a Shared Research Consortium
Join (IC)3 at http://ic3.mit.edu
Each member contributes to the annual research budgetAll members share in the tools, models, methods,
processes and procedures developed
3
Research Motivations
Copyright 2015, MIT-(IC)3, All Rights Reserved. http://ic3.mit.edu4
Source: Hitachi
Cyber to Physical Risks With Major
Consequences
Copyright 2015, MIT-(IC)3, All Rights Reserved. http://ic3.mit.edu
Controlled Process
Model of controlledProcess
ControlActions Feedback = Sensors
Controller
System Theoretic Accident Model and Processes (STAMP)
5
Professor Nancy Leveson analyzes industrial accidents including Citichem Oakbridge, Challenger disaster, etc., developing STAMP:• Modeling the effects of complex system interactions by:• Hierarchical Layers of Actuators/Controls and Sensors/Feedback• Including the role of human actions and decisions as a part of the
whole system
Actuators =
Copyright 2015, MIT-(IC)3, All Rights Reserved. http://ic3.mit.edu6
Typical Industrial or Cyber Incident Investigation Model
Investigation usually stops when a human error is found
Copyright 2015, MIT-(IC)3, All Rights Reserved. http://ic3.mit.edu7
Add Maintenance and Evolution Layers
Copyright 2015, MIT-(IC)3, All Rights Reserved. http://ic3.mit.edu8
Add Project Management and Operations Management Layers
Copyright 2015, MIT-(IC)3, All Rights Reserved. http://ic3.mit.edu9
Add Company Management Layer
Add State, Federal, Regulatory Layers
10
Generic Control Model
Copyright 2015, MIT-(IC)3, All Rights Reserved. http://ic3.mit.edu
The Approaches
STAMP = System Theoretic Accident Model And Processes
1. CAST: Causal Analysis using System Theory– Prove the model by looking backwards
2. STPA: System Theoretic Process Analysis– Apply the model looking forward for incident
prevention
11
Copyright 2015, MIT-(IC)3, All Rights Reserved. http://ic3.mit.edu
CAST Systematic Analysis Process
12
1 System and hazard definition
2 System level safety/security requirements
3 Draw hierarchical control structure
4 Proximate events
5 Analyze the physical system
6 Moving up the levels of the control structure
7 Coordination and communication
8 Dynamics and change over time
9 Generate recommendations.
Copyright 2015, MIT-(IC)3, All Rights Reserved. http://ic3.mit.edu
STPA Systematic Incident Prevention Process
13
Safety or Security Problem to Prevent
Hazard
Inadequate Control Actions
Causes
Design and Management Requirements and Controls
Copyright 2015, MIT-(IC)3, All Rights Reserved. http://ic3.mit.edu
Presentation Outline• (IC)3
• Research Motivations• Approaches– System-Theoretic Accident Model and Processes
(STAMP)• Causal Analysis based on STAMP (CAST)• System Theoretic Process Analysis (STPA)
• Case Study– CAST Applied to the TJX Case– CAST Applied to Stuxnet
• Future Research Directions14
Copyright 2015, MIT-(IC)3, All Rights Reserved. http://ic3.mit.edu
TJX (TJ Maxx & Marshalls) Case Study• TJX is a US-based major off-price retailer.
– Revenues > $25 billion (FY2014)
• Victim of largest (by number of cards) cyber-attack in history, when announced in 2007.
• Cost to TJX > $170 million, per SEC filings.• Cyber-attack launched from a store on Miami, FL in 2005
by exploiting Wi-Fi vulnerability.• Hackers ultimately reached corporate payment servers
and stole current transaction data.• Cyber-attack lasted for over 1.5 years (According to the
US ICS-CERT, based on all reported ICS cyber-attacks, the average time that cyber-attackers were inside the ICS system before being discovered was 243 days.)
15Sources: Federal/State Court records (primary), TJX SEC Filings, Others (NYT, WSJ, Globe, FTC, Academic papers, Journal articles). ICS-CERT Oral Presentation, ABB Automation & Power World, March, 2015
Copyright 2015, MIT-(IC)3, All Rights Reserved. http://ic3.mit.edu
CAST Step 1: Identify System and Hazards
• System– TJX payment card processing
system
• Hazards – at system level– System allows for
unauthorized access to customer information
16
1 System and hazard definition
2System level safety/security requirements
3 Draw control structure
4 Proximate events
5 Analyze the physical system
6 Moving up the levels of the control structure
7 Coordination and communication
8 Dynamics and change over time
9 Generate recommendations.
Copyright 2015, MIT-(IC)3, All Rights Reserved. http://ic3.mit.edu
CAST Step 2: Define System Security Requirements
• Protect customer information from unauthorized access.
• Provide adequate training to staff for managing security technology infrastructure.
• Minimize losses from unauthorized access to payment system.
17
1 System and hazard definition
2System level safety/security requirements
3 Draw control structure
4 Proximate events
5 Analyze the physical system
6 Moving up the levels of the control structure
7 Coordination and communication
8 Dynamics and change over time
9 Generate recommendations.
18
Cast Step 3:HierarchicalControlStructure
Copyright 2015, MIT-(IC)3, All Rights Reserved. http://ic3.mit.edu
Proximal Event Chain
19
1 System and hazard definition
2 System level safety/security requirements
3 Draw control structure
4 Proximate events
5 Analyze the physical system
6 Moving up the levels of the control structure
7 Coordination and communication
8 Dynamics and change over time
9 Generate recommendations.
BreachingMarshalls’Store
Copyright 2015, MIT-(IC)3, All Rights Reserved. http://ic3.mit.edu20
1. AP- Open authentication vs Shared Key authentication.
2. WEP publically known weak algorithm compromised.
3. Sniffers used to monitor data packets.
4. Hackers steal store employee account information and gain access to TJX corporate servers.
Hackers Establish VPN Connection
Copyright 2015, MIT-(IC)3, All Rights Reserved. http://ic3.mit.edu21
1. Hackers use Marshalls AP to install VPN connection.
2. VPN is between TJX corporate server and hacker controlled servers in Latvia.
3. Code installed on TJX corporate payment processing server.
4. No longer using TJX network
Flow for Sales of Stolen Payment Card Information
Copyright 2015, MIT-(IC)3, All Rights Reserved. http://ic3.mit.edu22
Hackers are selling credit card data for
almost 1.5 years
Copyright 2015, MIT-(IC)3, All Rights Reserved. http://ic3.mit.edu
Analyzing the Physical System
23
1 System and hazard definition
2 System level safety/security requirements
3 Draw control structure
4 Proximate events
5 Analyze the physical system
6 Moving up the levels of the control structure
7 Coordination and communication
8 Dynamics and change over time
9 Generate recommendations.
Copyright 2015, MIT-(IC)3, All Rights Reserved. http://ic3.mit.edu
Cast Step 5: Analyzing the Physical Process (TJX Retail Store)
24
Copyright 2015, MIT-(IC)3, All Rights Reserved. http://ic3.mit.edu
Cast Step 5: Analyzing the Physical Process (TJX Retail Store)
25
• Safety Requirements and Constraints• Prevent unauthorized access to customer information.
• Emergency and Safety Equipment• Wi-Fi network Access Point (AP) authentication • Wi-Fi encryption algorithm
• Failures and Inadequacy• Retail store Wi-Fi AP misconfigured • Inadequate encryption technology – WEP decrypting key
were freely available on the internet.• Inadequate monitoring of data activities on the Wi-Fi .
• Physical & Contextual Factors• Early adopter of Wi-Fi• Learning curve and training
Four Key Areas:1.Safety
Requirements & Constraints
2.Emergency & Safety Equipment
3.Failures & Inadequacy
4.Physical & Contextual Factors
Copyright 2015, MIT-(IC)3, All Rights Reserved. http://ic3.mit.edu
Analyzing the Control Structure
26
1 System and hazard definition
2 System level safety/security requirements
3 Draw control structure
4 Proximate events
5 Analyze the physical system
6 Moving up the levels of the control structure
7 Coordination and communication
8 Dynamics and change over time
9 Generate recommendations.
Copyright 2015, MIT-(IC)3, All Rights Reserved. http://ic3.mit.edu
Step 6: Analysis of Higher Levels of the Hierarchical Safety Control Structure
27
Payment Card Processing System
Copyright 2015, MIT-(IC)3, All Rights Reserved. http://ic3.mit.edu
Step 6: Analysis of Higher Levels of the Hierarchical Safety Control Structure
28
• Safety Requirements and Constraints• Prevent unauthorized access to customer information.
• Emergency and Safety Equipment– Payment card data is encrypted during transmission
and storage– Conform to Payment Card Industry Data Security
Standard (PCI-DSS)• Failures and Inadequacy
– Payment data briefly stored and then transmitted unencrypted to the bank.
– Not compliant with PCI-DSS.– Fifth Third Bancorp had limited influence on TJX
• Physical Contextual Factors– PCI-DSS is not legally required by States (except for
NV) and Federal Government.– Fifth Third Bancorp has no regulatory role
Payment Card Processing System
Copyright 2015, MIT-(IC)3, All Rights Reserved. http://ic3.mit.edu
Step 6: Analysis of Higher Levels of the Hierarchical Safety Control Structure
29
State Legislature• PCI-DSS is a law in the State of Nevada,
but not in Massachusetts where TJX is headquartered.
• TJX a creates jobs and generates tax revenue in Massachusetts.
State Legislature
Copyright 2015, MIT-(IC)3, All Rights Reserved. http://ic3.mit.edu
Step 6: Analysis of Higher Levels of the Hierarchical Safety Control Structure
30
Federal Regulatory agency:• Most Cyber Security standards are voluntary and are
written broadly.• At the time of the attack, no regulation existed for the
overall retail industry.
Regulatory Agencies: FTC, SEC, etc.
Copyright 2015, MIT-(IC)3, All Rights Reserved. http://ic3.mit.edu
Coordination and Communication
31
1 System and hazard definition
2 System level safety/security requirements
3 Draw control structure
4 Proximate events
5 Analyze the physical system
6 Moving up the levels of the control structure
7 Coordination and communication
8 Dynamics and change over time
9 Generate recommendations.
Copyright 2015, MIT-(IC)3, All Rights Reserved. http://ic3.mit.edu
Step 7: Coordina-tion and Commun-ication
32
Aware of PCI-DSS compliance issue.
Copyright 2015, MIT-(IC)3, All Rights Reserved. http://ic3.mit.edu
Step 7: Coordina-tion and Commun-ication
33
Lack of coordination for PCI-DSS Compliance
Copyright 2015, MIT-(IC)3, All Rights Reserved. http://ic3.mit.edu
Step 7: Coordina-tion and Commun-ication
34
Aware of PCI-DSS compliance issue.
Cyber Security spending was not the highest priority.
Copyright 2015, MIT-(IC)3, All Rights Reserved. http://ic3.mit.edu
Step 7: Coordina-tion and Commun-ication
35
Missing support
Copyright 2015, MIT-(IC)3, All Rights Reserved. http://ic3.mit.edu
Step 7: Coordina-tion and Commun-ication
36
Missing support
Uninformed
Copyright 2015, MIT-(IC)3, All Rights Reserved. http://ic3.mit.edu
Step 7: Coordina-tion and Commun-ication
37
No single person responsible for cyber
security
Copyright 2015, MIT-(IC)3, All Rights Reserved. http://ic3.mit.edu
Dynamic Migration to High Risk State
38
1 System and hazard definition
2 System level safety/security requirements
3 Draw control structure
4 Proximate events
5 Analyze the physical system
6 Moving up the levels of the control structure
7 Coordination and communication
8 Dynamics and change over time
9 Generate recommendations.
Copyright 2015, MIT-(IC)3, All Rights Reserved. http://ic3.mit.edu
CAST Step 8: Dynamics and Migration to a High-Risk State
• Initially cyber security risk was low because vulnerabilities were unknown to everyone – experts, businesses, and hackers.
• Flaws in managerial decision making process.– Information availability: recent experiences
strongly influence the decision (i.e., no break-ins so far.)
39
Copyright 2015, MIT-(IC)3, All Rights Reserved. http://ic3.mit.edu
CAST Step 8: Dynamics and Migration to a High-Risk State (Cont.)
40
• Above is a message from CIO in November 2005 to his staff, requesting agreement on his belief that cyber security risk is low.
• There were only two opposing views, a majority of his staff agreed.
• This confirmation trap led to postponing upgrades.
“My understanding is that we can be PCI-compliant without the planned FY07
upgrade to WPA technology for encryption because most of our stores do not have
WPA capability without some changes. WPA is clearly best practice and may
ultimately become a requirement for PCI compliance sometime in the future. I think
we have an opportunity to defer some spending from FY07’s budget by removing
the money for the WPA upgrade, but would want us all to agree that the risks are
small or negligible.” – TJX CIO, Nov. 2005
Comparison of Results from FTC and CPC Investigations and STAMP/CAST Analysis
41
No. Recommendation CPC FTC STAMP/CAST
1 Create an executive level role for managing cyber security risks.
No * Yes
2 PCI-DSS integration with TJX processes. No No Yes
3 Develop a safety culture. No No Yes
4 Understand limitations of PCI-DSS and standards in general.
No No Yes
5 Review system architecture. No No Yes
6 Upgrade encryption technology. Yes No Yes
7 Implement vigorous monitoring of systems. Yes No Yes
8 Implement information security program. No Yes Yes
CPC = Canadian Privacy CommissionFTC = Federal Trade Commission* = Indicates recommendations that are close to STAMP/CAST based analysis but also has differences.
Copyright 2015, MIT-(IC)3, All Rights Reserved. http://ic3.mit.edu
Research Contributions1. Highlighted need for systematic thinking and systems
engineering approach to cyber security.2. Tested STAMP/CAST as a new approach for managing
cyber security risks.3. Discovered new insights when applying STAMP/CAST
to the TJX case.4. Recommendations provide a basis for preventing
similar events in the future.5. The US Air Force has successfully implemented, and is
implementing STPA as a cyber security measure6. STAMP/CAST/STPA is compatible with the NIST
Cybersecurity Framework, UK Cyber Essentials, IEC-62443 and other Cybersecurity standards
42
Copyright 2015, MIT-(IC)3, All Rights Reserved. http://ic3.mit.edu
Application to Cyber Physical System (Stuxnet Example)
43
Copyright 2015, MIT-(IC)3, All Rights Reserved. http://ic3.mit.edu
Future Research Directions• Continue applying CAST for Cyber Security attack
analysis and generate comprehensive list of recommendations that include:
• Improvements to mitigate technology vulnerabilities• Ways to address systemic issues related to
management, decision making, culture, policy and regulation.
• Apply the System Theoretic Process Analysis (STPA) approach to identify system vulnerability prior to an attack.– (IC)3 has started a project to ensure the cyber security of
complex power grids, working with major grid operators in the US, Dubai, and Singapore.
44
MIT Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity – (IC)3
Questions?
Michael Coden, CISSP, Associate Director MIT-(IC)3
[email protected]://ic3.mit.edu
Presented at the International Conference on Computer Security in a Nuclear World: Expert Discussion and Exchange, International Atomic Energy Agency, June 2, 2015, Vienna, Austria